Proxy Question

David Peterson davidp at wirelessconnections.net
Wed Apr 25 16:13:51 CEST 2012


Awesome thanks!  I will likely be in testing mode on this in the near future
so I will update the list when I get to that stage.

David

-----Original Message-----
From: Matthew Newton [mailto:mcn4 at leicester.ac.uk] 
Sent: Wednesday, April 25, 2012 9:57 AM
To: David Peterson-WirelessConnections; FreeRadius users mailing list
Subject: Re: Proxy Question

On Wed, Apr 25, 2012 at 09:19:58AM -0400, David Peterson wrote:
> I have a more of an abstract question as to proxy functionality.  Can 
> you do the following:
> 
> 
> bob at bob.com password test
> 
> bob.com -> proxy to localhost
> bob at bob.com - reply Access Deny
> 
> This would be the norm for that realm, just deny everyone.
> 
> Except for bob's boss:
> 
> boss at bob.com password gooduser
> bob.com -> proxy to actual bob.com external AAA server.
> 
> I hope this isn't a complete mess of a question.

Yes - proxying only happens if you hit the end of the authorize {} section
having set the Proxy-To-Realm control attribute.

So you can set/not set that, based on anything in the incoming packet, to
determine if it should be proxied or not.

Something like (completely untested)

if (User-Name =~ /whatever/) {
  update control {
    Proxy-To-Realm := 'externalaaa'
  }
  else {
    reject
  }
}

Then create realm 'externalaaa' in your proxy.conf file, as normal.

There must be many ways to do this. Another possibility in your users file -

boss at bob.com    Proxy-To-Realm := 'whatever'

DEFAULT         Auth-Type := Reject

Cheers,


Matthew


--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Architect (UNIX and Networks), Network Services, I.T. Services,
University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>



More information about the Freeradius-Users mailing list